Re: Site to Site VPN with Full Internet tunnel one Site has a static I - Page 2

heshamcentrino1 · ‎01-23-2024

Dear All Members,

I am trying to set up the 819 4G Router as a VPN Client (Router) with the purpose of full internet tunnelling.
The goal here is the Remote users behind the 4G Router when he travels overseas and connect to any 4g network and when he does whats my IP? He gets the static IP of the Home Network 193.237.X.X----.->

Basically, I am trying to set up a network similar to EXPRESS VPN or BearVPN

I have one static IP at home, but the remote router may sometimes have a CGNAT IP or a Dynamic IP address?

I have googled and searched this forum to see whats the best configuration method for it. Please help me with the Home Router and Remote router configuration that makes it work.

Currently I have the 3945E Home router has Anyconnect with full tunnel that works with anyconnect endpoints (e.g. iPhone , Android , Windows PC) but not a router

MHM Cisco World · ‎02-07-2024

Now we have spoke all internet traffic pass through the tunnel to hub.

This spoke router need static route of tunnel destination point to ISP spoke use.

This make tunnel up/up

Then through the tunnel as ypu mention the eigrp will learn defualt route (via tunnel)

So any traffic reach spoke routers to Internet will use defualt route of eigrp via tunnel.

Here we dont need separate by vrf the tunnel of tunnel source/destiantion.

MHM

heshamcentrino1 · ‎02-08-2024

@MHM Cisco World Thank you very much again for your help. Ok you mentioned "This spoke router need static route of tunnel destination point to ISP spoke use."

Could you please give me the configuration statement of how can I do it? I did the default route to tunnel it was down. I don't know how can I static route it please?

.

10.47.40.42

MHM Cisco World · ‎02-08-2024

interface Tunnel1
ip unnumbered Loopback1
tunnel source Cellular0
tunnel destination 193.237.XXX.XXX <<- add static route "ip route 193.237.XXX.XXX cellular0"
~~tunnel vrf WAN~~ << remove anything relate to VRF
tunnel protection ipsec profile IPSEC_PROFILE

!
~~ip route 0.0.0.0 0.0.0.0 Cellular0~~ <<- remove this default route and make sure that ISP not push default route to your router

after above the only default route is learn via EIGRP (tunnel)
MHM

heshamcentrino1 · ‎02-08-2024

@MHM Cisco World Thank you so much for helping me

There is no VRF , I removed that already and the Tunnel between both sites are up/up
on the Hub , I did IP nat inside underneath the Tunnel interface as you mentioned before

On the spoke I did this

ip nat inside source list DSL_ACCESSLIST interface Cellular0 overload
No ip route 0.0.0.0 0.0.0.0 cellular0
ip route 193.237.XXX.XXX 255.255.255.255 Cellular0
By the way , 193.237.XXX.XXX is my hub static IP

I still didn't get internet connectivity Please let me know what else I can do

Also I got confused here when you said "
interface Tunnel1
tunnel destination 193.237.XXX.XXX <<- add static route "ip route 193.237.XXX.XXX cellular0
should I keep the bolded statement or remove it under Tunnel1????? I added the static route above as you mentioned

MHM Cisco World · ‎02-08-2024

NOW the tunnel is UP/UP
the NAT must done under the tunnel in Hub and in Spoke
ip nat inside source list Spoke-LAN interface Cellular0 overload <<- the Spoke-LAN is match the subnet behind the Spoke router
the tunnel in hub must config as "ip nat inside"
NOW the traffic from Spoke LAN go to hub and hub will NATing it to Public IP and forward to internet
MHM

heshamcentrino1 · ‎02-08-2024

ip nat inside source list Spoke-LAN interface Cellular0 overload >>>> Yes this one I know I made it on an extended access list with my Spoke Lan underneath which works fine.

I made the IP nat inside under both tunnels

In the Hub I did it under
interface Virtual-Template2 type tunnel
ip unnumbered Loopback1
ip nat inside
ip virtual-reassembly in
tunnel source Dialer1
tunnel protection ipsec profile IPSEC_PROFILE

In the Spoke

interface tunnel1
ip unnumbered loopback 1
ip nat inside
tunnel source cellular 0
tunnel destination 193.237.XXX.XXX
tunnel protection ipsec profile IPSEC_PROFILE
no shut

Still doesn't work :'( and I did from the Spoke LAN computer tracert and it gets stuck at the spoke router gateway

Sorry for the inconvenience and really thank you so much for helping out

could you confirm is this statement correct?
ip route 193.237.XXX.XXX 255.255.255.255 Cellular0

MHM Cisco World · ‎02-08-2024

interface tunnel1
ip unnumbered loopback 1
ip nat inside <- remove this
tunnel source cellular 0
tunnel destination 193.237.XXX.XXX
tunnel protection ipsec profile IPSEC_PROFILE
no shut

ip route 193.237.XXX.XXX 255.255.255.255 Cellular0 <- this correct

Share show crypto session details

MHM

heshamcentrino1 · ‎02-08-2024

@MHM Cisco WorldThanks a million for all your help I corrected the tunnel1 and removed ip nat inside
Also could you please share me the SHOW RUN of your hub and spoke configuration of your lab please that would be very helpful to me?

and here you are

-----------------SPOKE ROUTER-------------------

R2_Router#show crypto session detail
Crypto session current status

Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
X - IKE Extended Authentication, F - IKE Fragmentation
R - IKE Auto Reconnect

Interface: Tunnel1
Profile: IKEV2_PROFILE
Uptime: 00:01:04
Session status: UP-ACTIVE
Peer: 193.237.XXX.XXX port 4500 fvrf: (none) ivrf: (none)
Phase1_id: R1.lab.net
Desc: (none)
Session ID: 1
IKEv2 SA: local 162.167.209.152/4500 remote 193.237.XXX.XXX/4500 Active
Capabilities:N connid:1 lifetime:23:58:56
IPSEC FLOW: permit 47 host 162.167.209.152 host 193.237.XXX.XXX
Active SAs: 2, origin: crypto map
Inbound: #pkts dec'ed 19 drop 0 life (KB/Sec) 4294215/3536
Outbound: #pkts enc'ed 26 drop 0 life (KB/Sec) 4294214/3536

R2_Router#

------------------HUB ROUTER-------------------

HeshamCentrino-UK#show crypto session detail
Crypto session current status

Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
X - IKE Extended Authentication, F - IKE Fragmentation
R - IKE Auto Reconnect, U - IKE Dynamic Route Update
S - SIP VPN

Interface: Virtual-Access5
Profile: IKEV2_PROFILE
Uptime: 00:02:32
Session status: UP-ACTIVE
Peer: 172.58.111.213 port 58636 fvrf: (none) ivrf: (none)
Phase1_id: R2.lab.net
Desc: (none)
Session ID: 9
IKEv2 SA: local 193.237.XXX.XXX/4500 remote 172.58.111.213/58636 Active
Capabilities:N connid:1 lifetime:23:57:28
IPSEC FLOW: permit 47 host 193.237.XXX.XXX host 172.58.111.213
Active SAs: 2, origin: crypto map
Inbound: #pkts dec'ed 53 drop 0 life (KB/Sec) 4181907/3448
Outbound: #pkts enc'ed 38 drop 0 life (KB/Sec) 4181910/3448

HeshamCentrino-UK#
HeshamCentrino-UK#
HeshamCentrino-UK#

MHM Cisco World · ‎02-09-2024

the tunnel is UP/UP
can I see show ip route in spoke and hub

by the way I run lab and it work perfectly

heshamcentrino1 · ‎02-09-2024

@MHM Cisco World Thanks again for all your help and efforts.

after looking at your configurations I did see that I have missed to put the Spoke Network address under the access-list of the hub so I added that but still didn't work

Also could you please share me the SHOW RUN of your hub and spoke configuration of your lab please that would be very helpful to me?

also I noticed you wrote redistribute static metric x x x x x. I don't have that statement in my HUB router what to substitute for X X X X X X

Hub router

S* 0.0.0.0/0 [1/0] via 100.68.0.1
10.0.0.0/8 is variably subnetted, 7 subnets, 2 masks
C 10.1.0.0/24 is directly connected, Loopback3
L 10.1.0.1/32 is directly connected, Loopback3
C 10.1.1.0/24 is directly connected, Loopback4
L 10.1.1.1/32 is directly connected, Loopback4
D 10.3.0.0/24 [90/27008000] via 172.16.0.2, 00:02:07, Virtual-Access5
D 10.3.1.0/24 [90/27008000] via 172.16.0.2, 00:02:07, Virtual-Access5
C 10.10.10.10/32 is directly connected, Loopback0
100.0.0.0/32 is subnetted, 1 subnets
C 100.68.0.1 is directly connected, Dialer1
142.202.0.0/16 is variably subnetted, 4 subnets, 2 masks
C 142.YYY.YY.0/24 is directly connected, GigabitEthernet0/1.101
L 142.YYY.YY.253/32 is directly connected, GigabitEthernet0/1.101
C 142.ZZZ.ZZ.0/24 is directly connected, GigabitEthernet0/1.102
L 142.ZZZ.ZZ.253/32 is directly connected, GigabitEthernet0/1.102
172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks
D 172.16.0.0/24 [90/27008000] via 172.16.0.2, 00:02:07, Virtual-Access5
C 172.16.0.1/32 is directly connected, Loopback1
192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.1.0/24 is directly connected, GigabitEthernet0/1.103
L 192.168.1.254/32 is directly connected, GigabitEthernet0/1.103
192.168.10.0/32 is subnetted, 1 subnets
S 192.168.10.4 [0/0], Virtual-Access2
D 192.168.100.0/24 [90/26882560] via 172.16.0.2, 00:02:07, Virtual-Access5
193.237.XXX.0/32 is subnetted, 1 subnets
C 193.237.XXX.XXX is directly connected, Dialer1
HeshamCentrino-UK#
---------------------------------------------------------
Spoke Router
R2_Router#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override, p - overrides from PfR

Gateway of last resort is 192.168.1.1 to network 0.0.0.0

S* 0.0.0.0/0 [254/0] via 192.168.1.1
10.0.0.0/8 is variably subnetted, 6 subnets, 2 masks
D 10.1.0.0/24 [90/27008000] via 172.16.0.1, 00:04:00, Tunnel1
D 10.1.1.0/24 [90/27008000] via 172.16.0.1, 00:04:00, Tunnel1
C 10.3.0.0/24 is directly connected, Loopback2
L 10.3.0.1/32 is directly connected, Loopback2
C 10.3.1.0/24 is directly connected, Loopback3
L 10.3.1.1/32 is directly connected, Loopback3
100.0.0.0/32 is subnetted, 1 subnets
C 100.140.21.145 is directly connected, Cellular0
142.202.0.0/24 is subnetted, 2 subnets
D 142.YYY.YY.0 [90/26880256] via 172.16.0.1, 00:04:00, Tunnel1
D 142.ZZZ.ZZ.0 [90/26880256] via 172.16.0.1, 00:04:00, Tunnel1
172.16.0.0/16 is variably subnetted, 3 subnets, 2 masks
C 172.16.0.0/24 is directly connected, Loopback1
D 172.16.0.1/32 [90/27008000] via 172.16.0.1, 00:04:00, Tunnel1
L 172.16.0.2/32 is directly connected, Loopback1
192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.1.0/24 is directly connected, GigabitEthernet0
L 192.168.1.60/32 is directly connected, GigabitEthernet0
192.168.100.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.100.0/24 is directly connected, Vlan1
L 192.168.100.253/32 is directly connected, Vlan1
193.237.XXX.0/32 is subnetted, 1 subnets
S 193.237.XXX.XXX is directly connected, Cellular0
R2_Router#

MHM Cisco World · ‎02-10-2024

S* 0.0.0.0/0 [254/0] via 192.168.1.1 <- this defualt route not route learn from D (eigrp) ?

MHM

heshamcentrino1 · ‎02-13-2024

@MHM Cisco World So, how can I rectify it? what to do to fix it?

MHM Cisco World · ‎02-13-2024

Why you add this defualt route ?

Remove it and check.

MHM

MHM Cisco World · ‎01-23-2024

we have two issue here
1- the interface IP is change(dynamic), we can config the branch router as dyanmic policy based VPN
but here we will face second issue
2- you want to force all traffic via VPN, here using IPsec VPN is hard
so solution is
A-DMVPN
hub is core
branch is spoke and you need frontVRF for default route
B- Using DVTI to SVTI

MHM

Torbjørn · ‎01-24-2024

You can try to enter "proposal default" under your ikev2 policy(I thought it used it by default). If that doesn't work you can create a new proposal and attach it like this:

crypto ikev2 proposal AES-GCM256-SHA512-DF21 
 encryption aes-gcm-256
 prf sha512
 group 21
crypto ikev2 policy IKEV2_POLICY
 proposal AES-GCM256-SHA512-DF21

Happy to help! Please mark as helpful/solution if applicable.
Get in touch: https://torbjorn.dev

Site to Site VPN with Full Internet tunnel one Site has a static IP